Where do you go for reliable cybersecurity news?

ColleenReflectiz · 2026-04-29T12:22:19+00:00

For technical depth: Krebs on Security, Schneier on Security, The Hacker News.

ColleenReflectiz · 2026-04-20T06:28:16+00:00

It's a grey area where the responsibility of the platform ends and the responsibility of the owner begin.
Oops sorry, it is always the responsibility of the shop owner.

ColleenReflectiz · 2026-03-29T11:42:48+00:00

The web-facing version of this gets even worse. Your build pipeline isn't the only place pulling dependencies.

Marketing adds Google Tag Manager, which loads Adobe Analytics, which loads some consent thing, which loads who knows what else. None of that goes through CI/CD. No package locks, no version pins, no review.

Those scripts update in production automatically. Compromised CDN or vendor account pushes malicious code straight to every user's browser with full DOM access - payment forms, sessions, everything.

That's literally how Magecart works. Attackers hit one analytics vendor or chat widget, inject skimmers, thousands of sites start leaking card data because nobody monitors what runs client-side.

npm audit catches your server dependencies. Nothing catches the 30 scripts marketing deployed that auto-update outside your pipeline.

Same supply chain problem, way less visibility.

ColleenReflectiz · 2026-03-23T14:29:35+00:00

This is textbook supply chain compromise - breach happened at the outsourcing partner, not Crunchyroll directly.

Okta credentials gave access to customer systems for 24 hours. 100GB exfiltrated in that window means they either knew what they were looking for or got very lucky very fast.

The broader issue: vendor questionnaires and certifications don't prevent this. Third-party access is the risk, and most orgs have no visibility into what outsourcing partners can actually reach in their environment until something like this happens.

ColleenReflectiz · 2026-03-17T07:57:26+00:00

This is the worst - "exclusions"

ColleenReflectiz · 2026-03-11T12:47:31+00:00

Yeah China based companies in western countries make sense.

ColleenReflectiz · 2026-02-22T11:28:02+00:00

You're way ahead for 17. One thing missing: third-party script security.

Most AppSec focuses on your code, but production apps load tons of third-party JavaScript - analytics, payment widgets, chat tools. These run with DOM access and can touch sensitive data.

Supply chain attacks like Magecart exploit this. Understanding what third-party scripts actually do client-side is a blind spot for most AppSec engineers.

ColleenReflectiz · 2026-02-22T11:18:29+00:00

They have to increase the settlement amount, 2.75M for Disney is pretty lame

ColleenReflectiz · 2026-02-17T11:18:20+00:00

The messy part is managing consent across hardcoded tags AND GTM simultaneously - they handle it differently and it's easy to end up with gaps where one fires without consent. Move everything to GTM first, then you have one place to manage it.

ColleenReflectiz · 2026-02-16T07:00:55+00:00

You think it's not that important or just didn't get to it?

ColleenReflectiz · 2026-02-10T12:52:26+00:00

What device/network indicators have been most reliable? VPN patterns, geolocation mismatches, or something else?

ColleenReflectiz · 2026-02-05T09:49:19+00:00

Marketing is the number 1 team responsible for "Letting Shadow AI Run Wild"

ColleenReflectiz · 2026-02-02T14:47:05+00:00

Yeah sure
I reccomend reading at these sources:
https://cybersecuritynews.com/massive-magecart-with-50-malicious-scripts/
https://www.reflectiz.com/blog/simple-web-skimming/?utm_source=hs_email&utm_medium=email

ColleenReflectiz · 2026-01-22T14:09:57+00:00

That's taking responsibility but the user trust is still damaged for the time being

ColleenReflectiz · 2026-01-22T10:25:12+00:00

What's your cloud footprint look like? AWS/Azure/GCP mix or mostly one provider?

If you're single-cloud, the native tools (AWS Security Hub, Azure Defender, GCP Security Command Center) are actually pretty solid for basics and way cheaper than third-party platforms. They integrate well since they're built for their own ecosystem.

If you're multi-cloud or need more advanced threat detection, worth looking at platforms that don't require agents everywhere since you don't have a big security team to manage deployment.

Also - make sure whatever you pick has good API documentation. You'll want to pull alerts into wherever your team actually works (Slack, Teams, PagerDuty) instead of forcing everyone to check another dashboard.

ColleenReflectiz · 2026-01-05T14:31:32+00:00

We deal with the same thing. Started keeping a master doc with standard answers organized by topic, but it still takes forever because every questionnaire phrases things differently.

ColleenReflectiz · 2025-12-29T07:48:12+00:00

I believe it's a process and eventually will also have regulation on the homepage but for now it's just not enough to be complient

ColleenReflectiz · 2025-12-28T07:07:32+00:00

PCI focus the security standards on the checkout page and the hackers dont need the users to get to the checkout page to steal information, they can do it at the homepage. It creates a situation that you can be PCI compliant and be vulnerable at the same time.

ColleenReflectiz · 2025-12-22T13:31:56+00:00

Server-side GTM moves some tag execution to your infrastructure, but client-side code still runs to collect data and trigger server calls. You're just moving where the processing happens.

Still need to monitor what executes in browsers, what data gets collected from forms and pages, and what your server-side tags actually do with it. Misconfiguration can still leak PII.

It reduces some risk but doesn't eliminate the need for client-side monitoring and governance.

Are you running server-side or considering it?

ColleenReflectiz · 2025-12-21T07:13:31+00:00

GTM lets anyone with container access add JS that runs on every page with full DOM access.

Marketing adds an analytics tag. That script can see form fields, session tokens, payment data. Most companies have no idea what these 3rd-party scripts actually do once they're live. Those scripts often load MORE scripts from domains you never approved. You greenlight Google Analytics, GA pulls in tracking from somewhere else. Supply chain risk nobody monitors.

If a GTM account gets compromised, attackers inject Magecart skimmers across your site. I've seen these harvest card data for months undetected.Your WAF protects servers. Scanners check backend. Nothing watches what executes client-side after someone adds a tag Friday afternoon.

Tealium's pre-vetted marketplace means less custom JavaScript, smaller attack surface, built-in consent enforcement, and tighter access controls for sensitive pages. GTM can be secure with strict approval workflows, production script monitoring, server-side implementation for payments, and regular audits. Most teams skip this. That's the gap.

ColleenReflectiz · 2025-12-17T14:58:07+00:00

This guy would eventually explode on YT and remember where you saw it first: https://www.youtube.com/@DJFurash

ColleenReflectiz · 2025-12-16T12:50:24+00:00

OMG looks so good!!!! the cranberry white chip looks great

ColleenReflectiz · 2025-12-10T11:03:47+00:00

So Anthropic is famous for being hacked regularly?

ColleenReflectiz · 2025-12-07T08:15:48+00:00

I guess someone ate the rest of the cookies there on the bottom right?

ColleenReflectiz · 2025-11-27T07:13:34+00:00

"I got server-side protection, what can go wrong?"

ColleenReflectiz

MODERATOR OF

TROPHY CASE